How to reverse proxy https with lighttpd?

Question

I want to forward (reverse proxy) requests to https://secure.mydomain.com(:443) to my internal (HTTPS-)WebServer on port 8443 using Lighttp.

Environment-Infos:
My WebServer is a Tomcat running on Port 8080 (HTTP) and Port 8443 (HTTPS).
HTTP and HTTPs works well when accessing it locally (http://127.0.0.1:8080 and/or https://127.0.0.1:8443)

(Port 8080 + Port 8443 are not direct reachable over the Internet.)

For HTTP, this config works:

$HTTP["host"] == "unsecure.mydomain.com" {
    proxy.server  = ( "" => ( (
            "host" => "127.0.0.1",
            "port" => 8080
    ) ) )
}

Question:
What is needed to reverse-proxy HTTPS?

score 2 · Answer 1 · answered Oct 01 '17 at 12:43

2

lighttpd doesn't support TLS on backend connections.

If the backend needs to know whether the frontend connection was made with TLS check the X-Forwarded-Proto header.

If you need an encrypted connection to the backend (due to an untrusted network), use a VPN.

If you wanted end-to-end encryption to the backend you need a TCP proxy (haproxy can route connections based on SNI), or just forward it with iptables and DNAT.

answered Oct 01 '17 at 12:43

Stefan

819
1
7
18

this should be the accepted answer; haproxy is a very useful tool and I used it to forward a https server to internet (I just used tcp ssl pass-trough). Thanks for pointing it out – Riccardo Cossu Sep 27 '18 at 08:52

How to reverse proxy https with lighttpd?

1 Answers1